the_easiest_RSA

已于 2022-02-20 23:22:58 修改
阅读量656 收藏 1
点赞数
分类专栏: 逗比学CTF 文章标签: python
于 2022-02-20 23:20:07 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45963786/article/details/123037979
版权

写在最最最开头!!感谢Xenny,真的太强了。

强到离谱的社区群:941849249

可以变强的提升平台:https://www.ctfer.vip/

the_easiest_RSA

文章目录

一、关键代码

# 解题最后一步
p = getPrime(512)
q = getPrime(512)
r = getPrime(512)
N = p*p*p*q*q*r
E = random.getrandbits(3) * N
assert E != 0
c = gmpy2.powmod(flag, E, N)
print(c)
print(N)
# hint 求p
e = 65537
P = getPrime(512)
Q = getPrime(512)

hint = pow(p, e, P*Q)

print(hint)
print(P*Q)
print((P >> 128) << 128)
# 提示2 求r
d = getPrime(random.randint(300, 400))
for _ in range(3):
    p = getPrime(512)
    q = getPrime(512)
    e = inverse(d, (p-1)*(q-1))
    print(e)
    print(p*q)
    print(gmpy2.powmod(r, e, p*q))

二、求p

题目过滤掉了P的低128位,利用sage脚本还原P

# sage已知高位

n = 129598944864570286711257254190688970116061394945902262132637837607155691534901891874898804628551250475809878184980250423116425629504829218758694159097845195849688057501913130236213551965850401688761660210649412509677916025475768279720856263985963483363054912938167263889108321013097060701261847903023751603783
# 已知高位但低位未知所以用0代替的p
p_fake = 9668921579171597585499447713067041809069631091614339848644986390369689049549311953755504257359033378043919414270533815757770616304600284932131446188933120
# p的总位数(包括0)
pbits = 512
# p的低位0的位数
kbits = 128
# 取出p_fake的高有效数据位 (pbits-kbits)
pbar = p_fake & (2^pbits-2^kbits)
print("upper %d bits (of %d bits) is given" % (pbits-kbits, pbits))

# 生成一个以x为符号的一元多项式环
PR.<x> = PolynomialRing(Zmod(n))
# 定义求解的函数
f = x + pbar
# 多项式小值根求解及因子分解,X表示求解根的上界
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.4
print("p =", x0 + pbar)
# sage output:
# upper 896 bits (of 1024 bits) is given
# p = 9668921579171597585499447713067041809069631091614339848644986390369689049549311953755504257359033378043919414270534152167383591216019342887762779500767333

有了P然后求D,进一步解得最终的p

N = 129598944864570286711257254190688970116061394945902262132637837607155691534901891874898804628551250475809878184980250423116425629504829218758694159097845195849688057501913130236213551965850401688761660210649412509677916025475768279720856263985963483363054912938167263889108321013097060701261847903023751603783
P = 9668921579171597585499447713067041809069631091614339848644986390369689049549311953755504257359033378043919414270534152167383591216019342887762779500767333
Q = N // P
print(isPrime(Q),isPrime(P))
print(N==Q*P)
pi = (P-1)*(Q-1)
E = 65537
D = inverse(E,pi)
hint = 16878097429245530783722133903335212997338285713528713518214728003109174057419513597435122346281201284646480963258130374854750513855615182217644866872008113132819712534581407200402921675953522872066521179022899208737556113901714813515435317960410119875807051040562903175897676599310066517576035935453343096176
p = pow(hint,D,N)
print('p={}'.format(p))
# p=9311389858490364943720442507785055171284652087229819685825097201889131032147259180480486964464071289391134460834678366517191750266970473336556845313099299

三、求r

题目给出3组e、n、c,使用同一个解密指数d,可以利用共解密指数攻击

"""
	instance: 共私钥的RSA实例,为一个列表。该列表的每一项都是字典,instance[i]['e']为第i个RSA实例的e,instance[i]['n']为第i个RSA实例的n。
"""
def common_private_attack(instance, debug=False, algo="LLL"):
    r = len(instance)
    instance.sort(key=lambda x: x['n'])
    M = isqrt(instance[r-1]['n'])  
    
    # Build up Lattice basis B
    B = zero_matrix(r+1)
    B[0,0] = isqrt(instance[r-1]['n'])
    for i in range(1, r+1):
        B[0,i] = instance[i-1]['e']
        B[i,i] = - instance[i-1]['n']
    if debug:
        print("The basis of the lattice we build is:"); print(B)
    
    if algo == "LLL":
        print("Performing LLL reduction..."); B = B.LLL(); print("Done.")
    elif algo == "BKZ":
        print("Performing BKZ reduction..."); B = B.BKZ(block_size=len(instance)); print("Done.")
    
    dM = B[0,0]; d = dM // M;
    # 有时会算出负数
    d = abs(d)
    print(" dM = {} \n d = {}".format(dM, d))

    if dM % d != 0:
        print("Fail to attack these instances.")
dis = [{'e':62107649509595242260985498327362230941626733067909292964711077861884146968524393764549978678481337866348155507716861513326215214728666866477949784023770316976362154222660504811750477838578740521375720597325282479620370158522735575267677677627701353953212156190034408849328503959153342762221926374264053027651,'n':67579813462861282603878327365415253479748370444280113659516130158257373144865467721142569985644927503038822420065524866315225928246828792249490533229575947082470389136063299556830923056174751579905301516931214272550115993594315842786096430348075897579116823654287501623490668169368021982112903184521155573913},
       {'e':91192552959561428901656549453218797211868769229233439570717955188623406593563432307707960017979715994917565882187916480701764277374291128398193565958202598121995066809779140100094491765621015244861869229514784953473829213702003938343693811097627126522188939960339060256479815744446331158926365400274238028803,'n':145976333950451146706634444715893701001415694969457685717184514123014409796207997822737095943734058825931815179434454452685649437531207567414124727379200649895041575542203007316327684029138254183417139206402982005390406598463240894803145304868204357139854460643072986259403556166319722155275780519872827754001},
       {'e':4348966282620964954863899244212242209662910510540204052319150144997303917002071013261204634030736441865929558840715828654566490722583303627043645709981719634890521886934419212195617473300525466133160115932823693249802971146445286315031167637623058158377524494603782928165138698101778238053574351792657563451,'n':114384787632841079048253220979777713739378268018153910083526618289368903392067250680542910855256598382688914805519303106227087573050573700914832336749171834216673179324531933347009364551694605224494508471020884280687659081308509494051018386566231526806905131686822699316935571781598420232882825708380668614959}
      ]
common_private_attack(dis)
# d=1716416079241233716625248301516952595875940503559090013896892408818970255922223460792344537064305948164590602452651

有了d,随便找一组就可解出r,两组同时解验证。

n1 = 67579813462861282603878327365415253479748370444280113659516130158257373144865467721142569985644927503038822420065524866315225928246828792249490533229575947082470389136063299556830923056174751579905301516931214272550115993594315842786096430348075897579116823654287501623490668169368021982112903184521155573913
n2 = 145976333950451146706634444715893701001415694969457685717184514123014409796207997822737095943734058825931815179434454452685649437531207567414124727379200649895041575542203007316327684029138254183417139206402982005390406598463240894803145304868204357139854460643072986259403556166319722155275780519872827754001


c1 = 44895788412038052695271062935700716710096003298843992074268472656998545241926732108950821556069616732076856678399420376306910893249787211937079298205642283799656520246258313504817817458304786535103541978444946220878715540007449758361747501173764050786368425155938627897404095196249573688998161424566538215211
c2 = 118646230308595736293557458002246449715272997471287476720892059140635772575366965589594008104571451357876148349049494917497089671954768795248628188373157874503999033641380460371296189332326326200325179238137611884575706925732632477362082825468087511470153618687379759876359719277900240063537113215552047135841



d = 1716416079241233716625248301516952595875940503559090013896892408818970255922223460792344537064305948164590602452651
m1 = pow(c1,d,n1)
m2 = pow(c2,d,n2)
if m1==m2:
    print('r={}'.format(m1))
else:
    print('NO')

# r=7574044323095532570708874898079912819078129425978705352911750180288319220089479831579074114970296032516798538410455385107525890661740100367688530443421677

四、求q

利用题目已知条件N =p*p*p*q*q*r,解得q

n=821637946044802094902953070074543102306869884873579423162145698218212560752410698552506108846314463135908371234866705393800979683814845596389525129326843295858831422249359573708068647304839244720782685985712635619803869885580152819572638671856305962843339690425926129690760888646694946355455239998544856723512643532949252060312278317964664482052587982507958159258844472388626094774180039916713900974760162202618717715095611085672884887397115862509389558231090407267917488769658024219676982762849860539850223529342350530344977168605879645515110890101177408181561604973969678649331052536135175711781614723243018625804914041552004680786359005886756891564089784004207698042480302197023219264076080698310436288830578669279862026461034180820755901345813488788532773026518857742317030969388255891451584375641479739761793484573965281435630150744924011181628797817182465011004325359576146400420432678566110402359833633223404347714023

q = gmpy2.iroot(n//p//p//p//r,2)[0]
print('q={}'.format(q))
# q=11591898166184703407170679039468830396172686422497264355129193372385309176446185445291532443964976728310025509569413731127733013564906117798148077662926901

五、求解flag

归整求得结果,求解flag

p=9311389858490364943720442507785055171284652087229819685825097201889131032147259180480486964464071289391134460834678366517191750266970473336556845313099299
q=11591898166184703407170679039468830396172686422497264355129193372385309176446185445291532443964976728310025509569413731127733013564906117798148077662926901
r=7574044323095532570708874898079912819078129425978705352911750180288319220089479831579074114970296032516798538410455385107525890661740100367688530443421677
c = 254405107303005845049072747258149485455665434531849341949389151702896351704377285067476806399735915847551051984934926645265066676195182212668342809240170275111601925685425108739633735306028738440813976431594863569098420495195211247259496523691182750966814434291138671594822376699489067358139495566395880145059037908529964205911131567968259107857590036018068978645060903255984751462867095474972084318246942230515795372922732450012495738566643657477922873319803490046893484493433788181603654210794341892738158118219924980457355211094042834795257379632330516037706451375827720587904837405865838650441538283621256535491641274818330647441525602168055479178687963531914961778234475318884588150397234095722213462400828744953497197126537474009027706337497767417837993861139340860874583027430907228716660953102425009174890588920766879848601641875277580421221804043645286722094547226197336752873572741091909840169196029400597100303993
n = p*p*p*q*q*r
# phi =(p*p*(q-1))*(p*(p-1))*(r-1) 无逆元

# 可以换成phi(p*q*r)和n的逆元,那么他们就在模p*q*r下成立

phi_qpr = (p-1)*(q-1)*(r-1)
d= inverse(n,phi_qpr)

for i in range(1,8,1):
    m = pow(c,d,q*p*r)
    flag = long_to_bytes(gmpy2.iroot(m,i)[0])
    if b'flag' in flag:
        print(flag.decode())
# flag{th1s-i5-7he-fla9}
名为逗比
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
RSA原理及Python实现
0verWatch的博客
01-12 7379
简介 RSA是第一个安全,实用的公钥加密算法,已成为国家标准,是目前应用广泛的公钥加密体制,RSA的基础是数论的欧拉定理,它的安全性依赖于大整数因子分解的困难性,因为加解密次序可换,可用于加解密,可用于设计数字签名体制。 算法流程 选取两个安全的大素数p和q(其长度要足够长至少要是1024位) 计算乘积n = p * q, 计算phi(n) = (p-1)*(q-1),其中phi(n)为n的欧拉...
RSA实现
weixin_55767957的博客
03-21 42
RSA的简单实现,没有验证p和q是否很大
PyPI 官网下载 | xenny-1.0.tar.gz
01-30
资源来自pypi官网。 资源全名:xenny-1.0.tar.gz
BUUCTF NewStarCTF一些新知识记录
Aiwin的博客
09-21 3095
BUUCTF NewStarCTF一些新知识记录
数学丢哪去了——记录两道RSA解密python脚本
tempulcc的博客
09-10 410
Rsa简介 RSA算法基于一个十分简单的数论事实:将两个大质数相乘十分容易,但是想要对其乘积进行因式分解却极其困难,因此可以将乘积公开作为加密密钥。 RSA算法是一种非对称密码算法,所谓非对称,就是指该算法需要一对密钥,使用其中一个加密,则需要用另一个才能解密。 RSA公开密钥密码体制。加密算法E和解密算法D也都是公开的。 RSA 加密原理 步骤 说明 描述 备注 1 找出质数 p、q 2 计算公共模数 n = p * q 3 欧拉函数 φ(N) = (p-1)(q-1) 4 计算公钥e 1 < e
CTF-RSA经典题目之P=pow(p,2,n)
m0_55017965的博客
05-05 498
CTF-RSA的一类型题目
RSA
qq_31798427的博客
02-14 472
通过这个题算是实际了解了下RSA的破解过程吧。 首先要做的是通过题目给的公钥文件把n,e求出来,利用以下代码: from Crypto.PublicKey import RSA pub = RSA.importKey(open('xxx\public.pem').read()) n = long(pub.n) e = long(pub.e) print n print e 得到n以后,由
C_Examples.zip_The Beginners
09-24
Set of examples of C programming language, for beginners. Starting for the easiest one (example 1), they increase the complexity.
inputsdlg.rar_In the Making_matlab-form
09-24
描述中提到"matlab form useful for making large forms in the easiest way possible",这表明这个MATLAB形式或者GUI设计是为简化创建大型、复杂的用户界面而设计的。在MATLAB中,创建这样的界面通常涉及到用GUIDE...
FFT.rar_FFT PROJECT_On Purpose
09-22
this is a sample FFT DFT algorithm test project. This project uses microsoft visual studio 2008 and ... The main purpose of this project is finding easiest calculation algorothm for microcontrollers
Flappy-Bird_Using_C_Sharp-Easiest_Way-
05-03
《使用C#轻松构建飞扬的小鸟游戏》 飞扬的小鸟(Flappy Bird)是一款曾经风靡全球的休闲游戏,其简单的操作和极具挑战性的玩法吸引了众多玩家。在本文中,我们将探讨如何使用C#编程语言,以最简单的方式实现这款...
PyQt5_sip-4.19.14-cp37-none-win_amd64.whl
02-17
The format of a specification file is almost identical to a C or C++ header file, so much so that the easiest way of creating a specification file is to edit the corresponding header file. ...
CTF中关于RSA的常见题型
abtgu的博客
09-11 1万+
CTF中关于RSA的常见题型 关RSA算法原理的描述请看https://blog.csdn.net/weixin_43790779/article/details/105622327 1.已知(p, q, e),求d。 示例:【CTF秀-crypto4】 p=447685307 q=2037 e=17,提交flag{d}即可。 解题思路: import gmpy2 p = 447685307 q = 2037 e = 17 phi = (p-1)*(q-1) d = gmpy2.invert(e,phi
安恒月赛-dasctf 部分writeup
热门推荐
zhang14916的博客
04-26 3万+
1.crypto-not rsa 题目很简单,r是一个随机数,g=n+1,已知(pow(g,m,n*n)*pow(r,n,n*n))%(n*n)=c,即密文c,求解明文m。我们根据二项式定理易知可将pow(g,m,n*n)=pow(n+1,m,n*n)=pow(m*n+1,n*n)。由于n=p*q,所以我们知道phi(n*n)=p*(p-1)*q*(q-1)。我们对加密公式两侧同时加(p-1)*...
欧拉函数的应用-RSA加密算法
GD_ONE的博客
12-09 2535
若p和q互质,令n = p*q 则ola(n) = (p-1)*(q-1) 我们知道p和q的值能轻易知道(p-1)*(q-1)的值也就是ola函数的值,但是仅仅知道n是多少,却非常难得到p和q是多少,因为当n很大时,例如有几百位时,它就有非常多的质因数,要暴力穷举很长时间。所以这就保证了RSA加密算法的可靠性。 RSA加密是非对称加密,密钥 由公钥和私钥组成。 公式为: (明文)^e % ...
rsa加密相关基础知识
kaylahuang的博客
03-16 3702
RSA 基本原理: 选取两个不同的大素数p、q,并计算N=p*q,选取小素数d,并计算e,使d*e % (p-1)(q-1)=1, 对于任意A<N: 若B=A**d % N 则A=B**e % N 可见d、e形成了非对称秘钥关系,加密者用公钥d加密,解密者可用私钥e解密,第三者即使拦截了密文B、公钥d和N,在不知道p、q的前提下,无法推算出e,从而无法获得明文A。当N取非常大的值时,将其因式分解成p、q是非常困难的,例如当N为1024 bit时,据分析,需动用价值数千万美金的大型计算机系统并耗..
RSA合集
2h4ox1n9
05-23 1288
rsa
【密码学】破解RSA密码(Python代码实现)
Mitchell_Donovan的博客
12-26 1万+
题目描述 已知有人写了如下的代码,并将生成的(n,e,c)以及(n2,e2,c2,(p2+1)*(q2+1))输出。 from Crypto.Util.number import * def ef(): p=getPrime(512) q=getPrime(512) flag=open("flag","rb").read() m=bytes_to_long(flag) e=65537 n=p*q c=pow(m,e,n) print(n,...
逗比学CTF.day5
weixin_45963786的博客
01-20 1801
BUU BURP COURSE 1 比较基础的IP伪造题目,基础题get到新的知识点,通过伪造X-Real-IP字段实现本地访问 一、原题无源码 打开后,只提示需要本地访问。 二、伪造xff 一说到伪造IP地址,实现本地访问,第一想到的就是X-Forwarded-For字段 但是仍然提示“只能本地访问”,服务器检测的不是xff这个字段。然后只能去问度娘 X-Real-IP字段映入眼帘 三、伪造X-Real-IP字段 这次不在提示“只能本地访问”,说明IP绕过成功,下面继续看html编码 三、代码分
pytorch-fcn-easiest-demo-master_pytorch_fcn_demo_
最新发布
09-08
pytorch-fcn-easiest-demo-master_pytorch_fcn_demo_是一个基于PyTorch库的最简单的FCN(Fully Convolutional Networks)演示项目。 FCN是一种深度学习的语义分割模型,用于将图像中的每个像素分别分类到对应的语义...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值